You are here

51. Data Breach Notification

Discussion Paper proposal

51.47 In DP 72, the ALRC identified support in submissions and
consultations for a requirement that data users notify individuals of a breach of
their personal information in certain circumstances.[78]
Supporters of a data breach notification law gave a number of reasons why such
a law would be valuable. These include that it would:

provide a strong market incentive and stimulus to organisations
to secure databases adequately to avoid the brand and reputational damage
arising from negative publicity;[79]

encourage attention to compliance and vigilance against identity
theft;[80]
and

improve accountability, openness and transparency in the handling
of personal information by agencies and organisations.[81]

51.48 As set out in DP 72, support was not unanimous among stakeholders,
and there were some organisations that did not support a mandatory data breach
notification requirement. The trigger for notification was highlighted as the
critical issue, with strong support expressed for the idea of making the
reporting requirement proportionate to the potential for harm caused by the
breach.

51.49 After having regard to
several factors, including the ‘data abuse pyramid’ postulated by Professor Daniel Solove,[82]
the ALRC proposed that the Privacy Act be amended to include a new Part
on data breach notification. The trigger for the requirement proposed by the
ALRC was where ‘specified personal information has been, or is reasonably
believed to have been, acquired by an unauthorised person and the agency,
organisation or Privacy Commissioner believes that the unauthorised acquisition
may give rise to a real risk of serious harm to any affected individual’.
Exceptions were provided, for example, where: the specified information was
encrypted adequately; it was acquired in good faith by an employee or agent of
the agency or organisation where the agency or organisation was otherwise
acting for a purpose permitted by the model Unified Privacy Principles (UPPs);
or the Commissioner does not consider that notification would be in the public
interest. Civil penalties were proposed for failure to notify the Commissioner
of a data breach as required by the Act.[83]

[81] Privacy NSW, SubmissionPR 193, 15 February 2007; Queensland Council for Civil Liberties, SubmissionPR 150, 29 January 2007; National Health and Medical Research Council, SubmissionPR114, 15 January 2007; Legal Aid Commission of New South Wales, SubmissionPR 107, 15 January 2007.

[82] Solove
suggests that it is important for the law to intervene early to address cases
of data insecurity, rather than only providing criminal sanctions for cases of
identity fraud: see Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [47.55–47.62].